Xref: utzoo comp.binaries.ibm.pc.d:6339 comp.sys.ibm.pc:43735 alt.msdos.programmer:1166 Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!hellgate.utah.edu!boulder!tramp!haverlan From: haverlan@boulder.Colorado.EDU (HAVERLAND MARC BRADLEY) Newsgroups: comp.binaries.ibm.pc.d,comp.sys.ibm.pc,alt.msdos.programmer Subject: Virus Warning and Questions Message-ID: <16609@boulder.Colorado.EDU> Date: 6 Feb 90 16:21:04 GMT Sender: news@boulder.Colorado.EDU Reply-To: haverlan@tramp.Colorado.EDU (HAVERLAND MARC BRADLEY) Organization: University of Colorado, Boulder Lines: 38 I seem to be experiencing a virus on my machine and three other machines that have exchanged files. I have not experienced this before, and am not very familiar with this class of problem. If anyone would like to tell me what they know about viruses, any information would be most appreciated. I will post a summary if requested. The following is a description of what this thing looks like and acts like, as far as I have been able to tell in one night. o It only affects .com and .exe files. o Infected .exe files seem to run fine, but infected .com files hang. o A clean .com file will run fine until an infected .exe is run. Any subsequent execution of any .com file will infect that particular file. o Infected .com files seem to be 1813 bytes longer than uninfected ones. o The beginning of infected .com files is affected, and various locations in infected .exe files is affected. o The following seems to be a reliable signature: e9 92 00 73 55 4d 73 44 6f 63 (Hex ASCII) . . . s U M s D o s (ASCII) o This is only the first part of the changes made to the beginning of .com files. There is more, but searching for this seems reliable. o This shows up at the beginning of infected .com files, and sometimes at approximately offset 1555. o Using the Norton Utility TS (TextSearch) and searching for the string sUMsDos seems to be a reliable check. Has anyone experienced this? What exactly do virus detectors do? Can they clean up infected files, or do they just check them out? Any suggestions, comments, or education on this subject would be appreciated. Thanks, Marc Haverland haverlan@tramp.colorado.edu 303-650-1100 303-266-6990